diff --git a/libs/fst/00_PATCH_wx_len_overread.patch b/libs/fst/00_PATCH_wx_len_overread.patch new file mode 100644 index 000000000..7fba1c2d6 --- /dev/null +++ b/libs/fst/00_PATCH_wx_len_overread.patch @@ -0,0 +1,10 @@ +--- fstapi.cc ++++ fstapi.cc +@@ -6072,6 +6072,7 @@ for(;;) + } + + wx_len = snprintf(wx_buf, 32, "r%.16g", d); ++ if (wx_len > 32 || wx_len < 0) wx_len = 32; + fstWritex(xc, wx_buf, wx_len); + } + } diff --git a/libs/fst/00_UPDATE.sh b/libs/fst/00_UPDATE.sh index 7ab74d7cd..66a0fd8df 100755 --- a/libs/fst/00_UPDATE.sh +++ b/libs/fst/00_UPDATE.sh @@ -18,3 +18,4 @@ sed -i -e 's,"fastlz.c","fastlz.cc",' *.cc *.h patch -p0 < 00_PATCH_win_zlib.patch patch -p0 < 00_PATCH_win_io.patch patch -p1 < 00_PATCH_strict_alignment.patch +patch -p0 < 00_PATCH_wx_len_overread.patch diff --git a/libs/fst/fstapi.cc b/libs/fst/fstapi.cc index a4329cf32..ab3c54469 100644 --- a/libs/fst/fstapi.cc +++ b/libs/fst/fstapi.cc @@ -3907,16 +3907,18 @@ while (value) static int fstVcdIDForFwrite(char *buf, unsigned int value) { char *pnt = buf; + int len = 0; /* zero is illegal for a value...it is assumed they start at one */ -while (value) +while (value && len < 14) { value--; + ++len; *(pnt++) = (char)('!' + value % 94); value = value / 94; } -return(pnt - buf); +return len; } @@ -6070,6 +6072,7 @@ for(;;) } wx_len = snprintf(wx_buf, 32, "r%.16g", d); + if (wx_len > 32 || wx_len < 0) wx_len = 32; fstWritex(xc, wx_buf, wx_len); } }